Monday, July 04, 2011

For/Sec Linkfest: Revolutionary Edition

image

cc attrib: The US Army on flickr, DoD photo by Air Force Tech. Sgt. Jacob N. Bailey

This season’s July 4th finds Lavie and I quietly resting at home watching “classic” revolutionary period movies on TCM. Alvis has flow the coop to a week-long church-youth camp. Firework sales and use have been banned by all the area counties and municipalities due to the record-busting Texas drought and heat.  We will probably have to suffice with watching celebratory events in HDTV-mode again tonight.

The weekend has been pretty light on tech-support calls. Dad wanted to give his father-in-law’s old cobbled-together “antique” PC system a refresh so I picked out a nice basic-home-user-grade Dell Inspiron 570 model that will be way sufficient for his pretty-much email-only PC needs.  Dad and little-bro set it up yesterday and did most of the pre-installation setup and file-transfer.  I’ll do some remote-support work this afternoon to lock it down and recover some account passwords and such off the old system and get them going on the new one.   And then yesterday I stripped-down the keyboard off Lavie’s laptop.  Seems a week or so ago, Lavie fell asleep with both a small tumbler of sweet tea and her laptop on her chest.  A very small portion of the tea ended up in the keyboard. Oops. (very) Fortunately the keyboard tray caught all of the spillage. (un) Fortunately, it was sweet (sugared) tea, so let’s just say the keys were less than responsive with spring-back action.  That restoration job took about three hours. Disassembly and cleaning was pretty straight-forward. However getting the scissor-action two-piece key travel parts re-mounted was very delicate work as I didn’t want to break any of them. It took me about twenty minutes to get the mating and mounting technique down before my pace picked up.  All is well now and Lavie is clickity-clicking again happily.

Offered here today is a forensic and security slanted linkfest.  This folder has been very, very full for a very long time.  What survives below are the best of the best as the blogging room floor is littered with editing cuts and discarded linkage that didn’t age well.

In the Reading Room

(IN)SECURE Magazine is a great source of security and network issues. I keep several of these PDF files on both my laptop and Kindle for go-to reading when things are slow. (IN)SECURE Magazine issue 29 and (IN)SECURE Magazine issue 30 are the most current. However, pop onto the Archive page to look for past issues that may have some gems.  For example, this early ISSUE 4 (PDF link) has a great article “Structured Traffic Analysis” on pg 6 written by network sec guru Richard Bejtlich. While the article could probably be updated with the newer network analysis tools made available since Oct 2005, the framework Richard lays out still works very well.

InfoSec Resources has lots of great articles to read and study. Check out their article archives for a really wide range of for-sec articles and whitepapers.

CERT Societe Generale - IRM (Incident Response Methodologies) as some good incident handling guides to review or keep filed within reach.

Dashboard | SANS Internet Storm Center - Security “dashboards” look cool and can communicate valuable information. I’ve got several I keep an eye on from time to time.  SANS has recently updated theirs.

Girl, Unallocated - Newly added forensics blog to my RSS feed list.  Fresh perspectives are always welcome at GSD!

VRT: A Close Look at Rogue Antivirus Programs - Post by Alain Zidouemba that contains PDF of the slides presented on his talk "A Close Look at Rogue Antivirus Programs" given at Hack in Paris conference.  I’ve lately been paying closer attention to articles on malware (particularly rogue-securityware) vectors.

Security Aegis has some great posts Real OSINT and OSINT, because knowing is half the battle on “open-source intelligence” work.  This is good stuff as when you are doing network traffic analysis, being able to attempt to track down and understand the names/handles seen in the traffic may provide additional clues in your incident response analysis.

The posts over at Malware Intelligence don’t come fast-enough for me, but when they do, they are golden. JAVA Drive-by [infection] On Demand actually got their hands on a “drive-by” generator and pick it apart. Neat.

Network Traffic: News and Reports

Lots and lots of goodies here!

The folks at Packet Life have posted some good material recently: Proving the Network is Not the Problem With iperf and Long-Term Traffic Capture With Wireshark offer great tips and techniques for you network jockeys.

Out of comments from those posts came a jump to the NetStress Network Benchmarking Tool and NetSurveyor Network Discovery Tool -- both of which are offered for free by Performance WiFi.

LoveMyTool blog has the following juicy fruits: Microsoft Network Monitor 3.4: Search the Description Column (by Joke Snelders) and A Deeper Look into Your Network - Cool Tool (by Vivek Rajagopalan)

That second one points us to Trisul Network Metering and Forensics tool.  If you just need “near-time” network traffic reporting and analysis, then the Free rolling 3 day window version looks hard to beat.

TinyApps.Org Blog : Setup a virtual network lab brings to our attention the free Marionnet.org project for networking practice and study.  It is a very cool project.

The Case of the Great Router Robbery over at InfoSec Resources poses some deep thoughts about the importance of physically securing your routers.  It’s not just because many of they are outright high-dollar items to begin with, but the configuration data on them is golden for pen-attack reconnaissance and enablement. It closes with some good thoughts about securing your device if it is stolen and what you should do if loss does occur.

Network Mystery #1 (by Betty DuBois) at LoveMyTool has both a recorded presentation as well as slide-show PDF from Sharkfest 2011. It is appx 1:26 long so it isn’t a fast-view.  That said, Betty offers some great guided material for you network tracers.

" ... In this session, Detective Betty DuBois will review one of the elusive network cases she has solved using Wireshark and Pilot. There will be plenty of forensics evidence provided, and lots of practical information to help you solve your own network mysteries. This session will be a deep dive into the "Case of the Slow Network". Betty will walk the attendees through how the data was captured (tshark & AirPcap), the methods used to isolate the problem (SMTP relay infection), and which users were infected ... "

Network Traffic: Tools and Techniques

Solution to the Nitroba case - Erik Hjelmvik (Network Miner) on the NETRESC blog posts some great network forensics tips specific to the “Nitroba Case” exercise. I was fortunate enough to read the first-post version before some elements were modified. Regardless it is a great example of how NetworkMiner can be used to analyze and dissect network traces in investigatory work.

Tools for modeling the user-traffic - superlist of network traffic analysis tools over at comlab.uni-rostock.de.  Bookmarkable.

RawCap sniffer for Windows released - NETRESEC Blog. I’m sure I’ve posted this here. Erik released a CLI tool for raw-socket network captures. It’s a slim single-exe file and is pretty cool. No installation required. Definitely worth keeping on a USB stick.  I like that I could download it to a local (remote) system and run a targeted trace of that system’s network traffic without needing to install a larger app like Wireshark. Likewise, as Erik suggests in the post, one could “…use the Sysinternals tool PsExec to inject RawCap.exe onto the [remote system] and sniff the packets.”

Split or filter your PCAP files with SplitCap - NETRESEC Blog. Not a new tool, but an update to v1.6. This CLI tool can slice-n-dice very large PCAP files into smaller sets based on IP addresses or sessions. Sure, you can do filtering work in Wireshark and NetMon as well, but this is a very fast tool and makes bulk PCAP file splitting/filtering very easy.

York::Log all network traffic - The SZ Development.  Interesting network sniffing/logging tool.  Certainly not for Wireshark/NetMon pros; however the GUI and basic logging/websession monitoring features might make it more user-friendly for folks getting their feet wet.

NMTopProtocols Expert Released - Network Monitor Blog

Using Wireshark's editcap to Remove Duplicate Packets Packets (by Tony Fortunato) - LoveMyTool guided post.

Bittwiste: pcap Capture File Editor (by Joke Snelders) - LoveMyTool - review and thoughts on how to use the Bit-Twist program for packet manipulation.

So Many Tools…So Little Time!

Windows Incident Response: Using RegRipper - WindowsIR blog. Harlan provides us an updated guide on how to effectively use his amazing RegRipper tool. See also the New Plugins from Harlan.

Kissin-Kousin of RegRipper is Woanware’s RegExtract.  I believe they complement each other nicely. Keeping up with the active updates to RegExtract can be challenging. Focusing on the most recent may cause you to overlook other features that have previously snuck in! See these: RegExtract v1.1.3, RegExtract v1.1.4, RegExtract v1.1.5, RegExtract v1.1.6, and the latest, RegExtract v1.1.7.

Also recently updated in the Woanware factory:

Dropbox Reader - by CyberMarshal. CLI tool collection for investigating DropBox cloud-storage software indicators.

DumpStrings.1sc - Didier Stevens shares a script that dumps ASCII and UNICODE strings found in a file. To be used with 010 Editor.

P2 Shuttle Free - Paraben Corporation - Free multi-tool to remotely mount disks, do live-system process reconnoiter, memory capture, machine searching, active file browsing of email, chant and IE history, and open a disk without mounting. This version does have some limitations so understand before relying on it too much.

P2 eXplorer Free - Paraben Corporation - Free utility to mount forensic disk images of many different formats.

Meanwhile the folks at Mandiant have been busy making material as well:

  • MANDIANT Intelligent Response 2.0. See this MIR 2.0 Released post for more info. (not free)
  • MANDIANT Redline - (free) - “Redline is a free utility from MANDIANT that accelerates the process of triaging hosts suspected of being compromised or infected while supporting in-depth live memory analysis. Designed to help find even the best-hidden malware, it analyzes and rates every running process on a system according to risk, combining Memoryze's live memory analysis with MRI (Malware Risk Index) scoring. Redline makes memory forensics accessible to any investigator without relying upon easily-defeated signature-based detection.”
  • Highlighter v1.1.2 Released

In both posts Windows Incident Response: Tools and Meetup, Tools and other stuff  - Harlan offers a great listing of for-sec tools.  I especially liked the discussion of “Jump Lists”.

Complementing that discussion is the new woanware tool JumpLister v1.0.0.  “JumpLister is designed to open one or more Jump List files, parse the Compound File structure, then parse the link file streams that are contained within. It uses the LNK parser I wrote so stuff like object ID’s and MAC addresses are handled.” Sweet!

The H Security announced that Microsoft releases Security Essentials 2.1.  Despite the fact that the recent system infections I had to clean were able to overwhelm (previous versions of) Microsoft Security Essentials, I still have lots of confidence in the product for home users. In these cases, outdated Java/Flash versions left the door to the barn open and MSSE couldn’t keep up with the attack. Any a new version has been quietly released.  It’s actually been out for about a week but Windows Updates and/or MSSE internal updating didn’t pick it up. However if you want it now (recommended) download the new version directly from the product page and run. It will do an in-place upgrade with no fuss. For more info or download locations:

How-To’s and Info of Note

Create a Bootable DBAN USB Pen Drive - TrishTech - Vendor dude has a contract to secure(DoD) wipe our out-of-service system HDD’s before they are returned to the lessor. Most of the time he is running a bank of bases and tossing in a Darik's Boot And Nuke (DBAN) CD and wiping away. Periodically however he would run into a system with a bad CD-ROM drive and would have to strip out the HDD and put it into another system to then run his CD.  I asked him why he didn’t just make a boot-USB version of DBAN. Brilliant, wasn’t it….  Here you go.

Security Braindump: Virtualizing Raw Disk Images - Because you know one day you will need to…

Windows Security Center: Under the Hood - Didier Stevens. Wish I had this post from Didier when I had composed this GSD post: How to Repair Windows Security Center List Items.

Tim Mugherini presents NTFS MFT Timelines and Malware Analysis - posted by John Strand at PaulDotCom.

Internet Explorer 9 Security Part 4: Protecting Consumers from Malicious Mixed Content - IEBlog.

For-Sec Live CD News

The world of “Live CD’s” is alive and healthy.

Security Onion 20110628 now available - I’ve only recently become acquainted with the tools and features of Security Onion distro. Very nice and has some great includes from Doug Burks.

PALADIN Download - Sumuri - Version 1.0 was released back in April 11. 

DEFT Linux 6.1 Computer Forensics live cd was also released back in April 11. See this new “draft” DEFT english manual if you are not already familiar with this distro.

BackTrack Linux 5.0 - Penetration Testing Distribution was released in May 11.  It’s a whopper so unless you got a big pipe, you may need to start the download when you put the cat out for the night.

As previously mentioned here on GSD, Brett Shavers the WinFE guy has been hard at work evangelizing on the WinFE distro.

Offline Antivirus – How to run Microsoft Safety Scanner on Windows PE 3.0 - 4sysops

Whew!

Now this post is out of the way, I can turn attention back to an Xplico follow-up along with a collection of linkage that came out of a conversation with TinyApps on write-block hardware that has been gathering dust for quite a while.

Happy 4th!

--Claus V.

2 comments:

Dave Nelson said...

Your foresec linkfests contain more raw power than all my RSS combined. Awesome. TYTY

lordpake said...

+1 to Dave Nelson :) Your blog is the only one of my RSS subscriptions that I always look forward to reading.